Cold hands, safe code?

Those of us who will soon experience winter’s wrath can perhaps take small comfort in the thought that our cold hands could help deter the theft of our security codes from bank ATMs.

You see, warm hands and thermal imaging can help thieves steal personal identification codes from ATMs, safes, car doors or building access control points.

This frame of an ATM keypad was captured by a thermal camera during a study to determine whether the camera could enable unauthorized access to security codes. The image was captured immediately after the keyboarder’s hand was removed from view. The regions of interest are shown by the colored boxes, and the temperatures are shown in Fahrenheit on the scale bar. The four digits pressed appear to be 1, 4, 5 and 8, and it seems most likely that 1 and 4 were pressed before 5 and 8. The code entered was indeed 1485. Image courtesy of Keaton Mowery and Sarah Meiklejohn.
In the past, thieves have used conventional cameras to photograph the code while it is being typed. But body heat stays on the keys for a short time after they are pressed, and scientists at the University of California, San Diego, have found that an IR camera can be used to recover a security code after the legitimate user has left the scene.

The researchers demonstrated that a thermal camera attack against keyboard code entry is easily scalable and could be quite effective.

Anyone who wants to steal such a code can simply walk up with a thermal camera and film the keypad, as long as he does this soon enough after the code has been entered and he is sure no one is around to see him, they wrote in their report, Heat of the Moment: Characterizing the Efficacy of Thermal-Based Attacks.

If the ATM user’s hands were colder, or if his fingers used a lighter touch on the keyboard, the thermal cameras tested were not as effective in capturing the code. “Also, we found that metal keypads were extremely resistant to thermal imaging, as they conducted heat so well,” said researcher Keaton Mowery.

The team added that the distance of the camera from the keypad had little effect on the results, but that further study is needed in this area.

The basic setup involved an A320 Flir camera running at 9 Hz, situated on a tripod in front of simulated ATM keyboards made of metal or plastic. The group had 21 people press 27 different codes chosen at random. Seven of the codes contained at least one duplicate, and the other 20 contained four unique digits.

Even a minute after the keypad was pressed, they were still able to recover more than half of the entered codes.

“As for the effects of our research, we aren’t aware of any use of thermal attacks in the wild,” said Mowery. “If people are interested in protecting against this attack, though, they can simply press a few buttons after entering their PIN but before removing their hand from the keypad. The extra heat should confuse any attempts to retrieve the PIN from thermal residue.”